The New York Times reports that the vulnerabilities were discovered and sold to authorities by the Israeli security company NSO Group.
Investigators discovered that a company called the NSO Group, an Israeli outfit that sells software that invisibly tracks a target’s mobile phone, was responsible for the intrusions. The NSO Group’s software can read text messages and emails and track calls and contacts. It can even record sounds, collect passwords and trace the whereabouts of the phone user.
Zamir Dahbash, an NSO Group spokesman, said in an email, “The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations.”
Dahbash also noted that NSO Group does not operate any of its systems and requires that its customers use its products in a “lawful manner.”
“Specifically, the products may only be used for the prevention and investigation of crimes.”
The vulnerabilities were brought to light after UAE human rights activist Ahmed Mansoor received some suspicious text messages. He shared the messages with Citizen Lab who then brought in Lookout to help examine the code. Together they discovered the three previously unknown iOS vulnerabilities and informed Apple about their existence.
Apple fixed the holes 10 days after a tip from Bill Marczak at Citizen Lab and John Scott Railton at Lookout.
“We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits,” said Fred Sainz, an Apple spokesman.
You can download iOS 9.3.5 from here.